Company Sports Tickets & GDPR: What You Need To Know

On May 25, 2018, the sweeping new rules known as GDPR went into effect. The regulations significantly change how companies must manage user data for individuals in the European Union, and companies are scrambling to make sense of it. The urgency is heightened by two factors: the law is ambiguous on several areas, and the penalty for violating it can, in theory, number in the billions of dollars.

What does this have to do with company sports tickets and client entertainment? Simple: if there’s even a chance your company is inviting EU residents to sporting events, you could easily be violating GDPR unless you have taken specific steps to be compliant. That’s true even if the live event in question takes place outside of the EU. In fact, GDPR will affect a large number of US-based companies who will be slow to realize it.

Confused? Let’s review some of the basics.

Who is affected?

GDPR rules cover all organizations who either do business in the EU or that process personal data originating in the EU.

On the surface, that might seem fairly unambiguous. But consider the following scenarios:

You’re a US-based software company who primarily markets your products to IT professionals of American companies. One of your email marketing messages is received by the VP of Technology of a US multinational corporation while she is away on business in the EU. Guess what? Any data you collect on her as a result of her receiving and interacting with your email message is subject to GDPR.

Your company sells industrial equipment across the globe. While your primary markets are in Asia, you also have versions of your website ending in European country codes (like .de, .nl, and .fr) which are displayed in the native language of these countries. You are subject to GDPR for any data collected when someone in these countries accesses your website.

Your company is based in the US and regularly distributes surveys to corporate decision makers around the world. One of your surveys is completed by the head of marketing for a French company while he is attending an international conference in Las Vegas. The survey data you collect from him is not subject to GDPR because he was not residing in the EU when he providing these data to you.

You run a US-based CRM website where companies can sign up and upload their customer data. Your company cleans, formats, and displays customer data so corporate leaders can make better decisions about where to focus their efforts. If any of the data uploaded by your customers includes personal data originating in the EU, you guessed it— you are subject to GDPR. Even though you did not source the personal data yourself.

GDPR governs how companies treat the personal information they collect about EU residents— how much they collect, why they want it, what they intend to do with it, how they protect it, and how quickly they must alert authorities when these data are breached.

And that’s just the start.

The 99 separate articles that make up GDPR contain extremely specific requirements covering:

the documentation companies must keep about the user data they collect

written justification of why such PII must be gathered in the first place

how companies must remove personally-identifiable information (PII) from user data before processing it

strict timeframes for when companies must notify authorities after PII is breached externally

appointing a general data officer in companies that regularly deal with large volumes of PII

users must positively opt-in to having their PII processed in certain cases

how businesses must provide users with a copy of their PII within 30 days of a request being received

users have the right, under certain circumstances, to have their PII erased from company records

The list goes on. It is small wonder that a cottage industry of GDPR consultants has sprung up to help companies navigate the maze of requirements that must now be followed.

Ready to dive into all 99 articles of GDPR?

And if you decide to throw caution to the wind and just figure it out later?

You might not want to do that…

Penalties for non-compliance

In the wake of major data breaches by companies like Yahoo, Facebook, Uber, more, European officials have decided to impose some serious fines for non-compliance with the new law. Companies found in violation can be fined for up to 4% of global revenue or 20 million euros— whichever is larger.

You read that right. Clearly, the EU is targeting large multinationals who have been accused of having a devil-may-care attitude toward protecting user data. Some analysts suspect the EU will make an example out of a large corporation to scare others into taking the new rules seriously.

Don’t let that be your company.

Can your company survive a ticket audit?

How does this affect my company sports tickets?

If your company collects personal data about guests & invitees who are located in the EU, you are subject to GDPR. Think about that— if any of the hundreds or thousands of people you take to ball games, concerts, or even dinner happen to be based in the EU when you collect their information, you suddenly have to worry about whether or not you’re in compliance… and how much it will cost you if you’re not.

Unless you use TicketManager. We adhere to the most stringent security and privacy guidelines, including GDPR. In fact, we are one of the only ticket management solutions to achieve SOC security certification— one of the toughest security protocols around.

We use auditors from multiple independent firms to test our security on a regular basis.

GDPR renders all these homegrown solutions obsolete. If you’re not using a ticket management solution that’s compliant with the new standards, you’re putting your company at risk of incurring millions of dollar in fines.